Identity,  Attribution,  and  the  Challenge 
of  Targeting  in  the  Cyberdomain 

Colonel  Glenn  Voelz,  USA,  and  Sarah  Soliman 


Abstract.  The  cyberdomain  has  become  “key  terrain”  of  irregular  warfare  with 
state  and  nonstate  actors  leveraging  social  media  and  other  digital  tools  for  com¬ 
mand  and  control,  intelligence  gathering,  training,  recruiting,  and  propaganda. 
Department  of  Defense  cyberstrategy  highlights  the  urgent  need  for  improved 
cyber  situational  awareness  to  reduce  anonymity  in  cyberspace.  This  requires  new 
technologies,  doctrine,  and  analytical  approaches  for  identifying  and  targeting  ad¬ 
versaries  operating  in  a  digital  landscape.  This  article  examines  identity-based  tar¬ 
geting  approaches  developed  during  recent  conflicts  as  a  possible  starting  point 
for  this  effort. 
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One  of  the  early  lessons  learned  during  the  conflicts  in  Iraq  and  Afghan¬ 
istan  was  how  legacy  intelligence  systems  and  methods  designed  for 
waging  conventional  warfare  against  state-based  adversaries  could  not 
provide  the  kind  of  information  needed  to  effectively  target  irregular  combat- 
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ants.1  These  new  adversaries  were  organized  as  distributed  networks  comprised 
of  individuals  often  indistinguishable  from  surrounding  populations.  This  oper¬ 
ational  challenge  demanded  new  technologies  and  methods  for  identifying  indi¬ 
vidual  combatants,  characterizing  and  geo-locating  their  activities,  and  analyzing 
the  structure  of  their  networks.  Within  this  operational  environment,  combatant 
identity  and  pattern  of  life  information  became  crucial  elements  of  high-value 
targeting  and  the  process  of  removing  insurgents  and  terrorist  networks  from 
the  battlefield.2 

In  many  respects,  this  mode  of  warfare  marked  a  major  paradigm  shift  for 
the  U.S.  military.  It  demanded  intelligence  collection  technologies  and  analytical 
methods  very  different  from  those  designed  for  detecting  motorized  rifle  battal¬ 
ions  and  targeting  conventional  weapons  platforms.  These  adaptations  evolved 
over  a  decade  of  intense  counterinsurgency  and  counterterrorism  campaigns 
against  irregular  adversaries  that  transformed  methods  of  operational  targeting 
and  made  combatant  identity  into  a  highly  salient  feature  of  modern  combat. 
The  evolution  of  identity-based  targeting  involved  a  process  of  doctrinal  and 
technical  innovation  that  brought  new  tools  to  the  battlefield,  such  as  biometrics, 
forensics,  and  DNA  analysis.3  These  capabilities  helped  U.S.  forces  navigate  the 
complex  human  terrain  of  the  irregular  battlefield  and  “put  a  uniform  on  the 
enemy”  by  reducing  their  ability  to  use  anonymity  for  military  advantage. 

These  technologies  were  applied  within  the  context  of  new  doctrinal  con¬ 
cepts,  such  as  Identity  Intelligence  (12)  and  Find,  Fix,  Finish,  Exploit,  Analyze, 
and  Disseminate  (F3EAD).  In  12,  various  identity  attributes  (biologic,  biographic, 
behavioral,  and  reputational  information)  were  fused  with  other  tactical  infor¬ 
mation  to  connect  individual  combatants  to  other  persons,  places,  events,  and 
materials  on  the  battlefield.  The  F3EAD  cycle  was  enabled  by  data-intensive  an¬ 
alytical  methods  deeply  influenced  by  social  network  theory  and  targeting  pro¬ 
cesses  specifically  designed  for  engaging  high-value  individuals  and  dismantling 
their  networks. 

The  next  evolution  in  warfare  is  likely  to  reflect  elements  of  continuity  with 
these  recent  experiences  even  as  specific  tools  and  methods  evolve.  Future  ad¬ 
versaries  will  continue  to  seek  out  asymmetric  means  to  circumvent  U.S.  conven¬ 
tional  force  advantages.  To  do  this,  they  will  most  certainly  exploit  cutting-edge 
commercial  technologies  and  communications  to  generate  tactical  leverage 
against  well-equipped  militaries.  As  in  recent  conflicts,  these  adversaries  are  likely 
to  avoid  direct  engagement  by  using  anonymity  to  conceal  operations,  protect 
networks,  and  complicate  targeting  for  U.S  forces.  Some  of  these  methods  resem¬ 
ble  what  commentators  have  dubbed  “gray  zone”  conflicts,  or  wars  characterized 
by  “  ‘hybrid’  threats  that  may  combine  subversion,  destabilizing  social  media  in¬ 
fluence,  disruptive  cyber  attacks,  and  anonymous  ‘little  green  men’  instead  of 
recognizable  armed  forces  making  overt  violations  of  international  borders.”4 
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Moreover,  these  methods  are  likely  to  be  adopted  by  state  as  well  as  nonstate 
actors.  As  General  Joseph  L.  “Joe”  Votel,  commander  of  U.S.  Special  Operations 
Command,  recently  noted,  such  conflicts  are  likely  to  be  defined  by  ambiguity 
and  even  uncertainty  regarding  the  parties  involved.5 

Within  this  operational  paradigm,  the  cyberdomain  is  likely  to  emerge  as  “key 
terrain”  of  these  future  battlefields.6  Over  the  last  few  years,  a  range  of  nation¬ 
state  and  nonstate  actors  from  Russia  to  the  Islamic  State  have  aggressively  lev¬ 
eraged  cybertools  as  part  of  their  intelligence  gathering,  operational  planning, 
internal  communications,  recruiting,  and  strategic  messaging — all  directed  toward 
creating  tangible  effects  in  the  physical  battlespace.  As  such  methods  expand, 
they  are  likely  to  present  conventional  military  forces  with  targeting  challenges 
similar  to  those  experienced  during  the  last  decade  in  Iraq  and  Afghanistan.  Spe¬ 
cifically,  modern  irregular  adversaries  have  been  empowered  by  their  ability  to 
hide  among  the  populace,  avoid  attribution,  and  complicate  the  targeting  process 
for  conventional  military  forces.7  These  methods  apply  to  the  cyberdomain  as 
well  as  the  physical  battlespace.  Adversaries  are  already  leveraging  cybertools  to 
create  demonstrable  effects  in  the  physical  landscape  while  manipulating  their 
digital  identities  to  hide,  deceive,  and  confuse  observers  as  to  the  nature  of  their 
activities.  Furthermore,  the  technical  tools  and  methods  for  masking  identity  and 
obscuring  attribution  are  increasingly  available  even  to  those  with  limited  techni¬ 
cal  expertise. 

One  U.S.  Department  of  Defense  (DOD)  cyberspace  policy  report  observed 
how  the  technical  protocols  of  the  Internet  provide  the  means  of  protecting 
anonymity  and  veiling  attribution  in  a  manner  that  “both  nations  and  non-state 
actors  clearly  understand.”8  Such  methods  are  likely  to  be  used  in  the  future  as 
a  means  for  generating  strategic  advantage.  Yet  even  as  U.S.  forces  increasingly 
maneuver  within  this  digital  landscape,  they  lack  sufficient  situational  awareness 
concerning  the  other  actors  seeking  to  influence  the  operational  environment. 
This  situation  presents  a  growing  risk  for  conventional  military  forces,  particular¬ 
ly  at  the  operational  level  where  units  lack  the  robust  capabilities  to  identify,  mon¬ 
itor,  and  target  key  actors  in  the  cyberpersona  layer.9  Problems  include  a  lack  of 
technical  tools  and  expertise  enabling  commanders  to  visualize  the  cyberpersona 
layer  (see  figure  1)  as  well  as  a  doctrinal  framework  for  assessing  risks  and  making 
effective  targeting  determinations  within  this  environment. 

Adapting  to  these  new  challenges  will  likely  require  a  paradigm  shift  equal 
in  scope  and  complexity  to  the  recent  evolution  of  identity-based  targeting.  In 
fact,  this  example  may  offer  several  useful  parallels  in  this  process,  including  a 
template  for  the  process  of  military  innovation  and  the  development  of  technical 
tools  and  supporting  doctrine  to  enable  military  forces  to  operate  against  these 
new  threats.  Similar  to  the  complex  human  terrain  of  Iraq  and  Afghanistan,  the 
cyberdomain  represents  an  ill-defined  and  unbounded  battlespace.  It  contains 
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adversaries  who  may  not  wear  uniforms  or  even  occupy  a  discrete  physical  area 
on  the  battlefield.  These  virtual  combatants  are  likely  to  have  the  technical  means 
to  conceal  identities,  veil  attribution,  and  mask  movements  across  the  digital  land¬ 
scape.  Within  this  environment,  the  issue  of  combatant  identity  is  likely  to  persist 
as  one  of  the  most  challenging  aspects  of  effective  targeting. 

Given  these  concerns,  it  may  be  shortsighted  to  simply  view  cyberthreats  in 
a  narrow  technical  sense  by  limiting  them  to  data  packets  and  malware.  As  this 
article  suggests,  there  are  several  important  parallels  between  the  identity-based 
targeting  methods  applied  in  the  physical  domain  and  what  will  be  needed  for 
military  forces  to  effectively  target  future  adversaries  in  the  cyberdomain.  A  key 
aspect  for  consideration  involves  developing  new  methods  that  link  abstract  cy¬ 
berpersonae  to  actual  physical  identities,  which  reveal  the  nature  of  individuals’ 
networks,  methods,  objectives,  and  functions.  As  one  group  of  experts  recently 
observed,  even  in  the  highly  technical  and  abstract  domain  of  cyberspace,  “all 
operations  still  begin  with  a  human  being.”10 

Anonymity  and  Power  in  the  Cyberdomain 

The  dramatic  rise  of  the  Islamic  State  in  Iraq  and  the  Levant  (ISIL)  perhaps 
offers  the  most  vivid  example  of  how  the  cyberdomain  has  become  a  highly  rele¬ 
vant  aspect  of  the  contemporary  operational  environment.  Over  a  relatively  short 
period,  ISIL  has  demonstrated  how  a  combination  of  digital  technologies,  global 
communications  networks,  and  social  media  platforms  can  be  combined  to  gen¬ 
erate  powerful  effects  in  the  physical  battlespace.  The  group  has  made  extremely 
effective  use  of  these  tools  for  operational  planning,  disseminating  training  ma¬ 
terials  and  technical  information,  and  coordinating  among  widely  dispersed  affili¬ 
ates  and  supporters.  ISIL  famously  proliferates  high-quality  media  content  across 
multiple  platforms  as  part  of  its  strategic  messaging  and  recruiting  campaigns.11 
Its  social  media  presence  and  distribution  of  digital  magazines,  such  as  Dabiq  and 
Konstantiniyye,  provide  dramatic  examples  of  how  terrorist  organizations  are  now 
using  cyberspace  to  amplify  the  power  of  propaganda  and  extend  their  influence. 
ISIL  has  even  developed  original  web  applications  providing  its  supporters  with 
direct  access  to  video  and  text  updates  about  life  under  the  Islamic  State  and  an¬ 
nouncements  of  battlefield  victories.12 

Social  media  in  particular  has  become  a  key  enabler  for  insurgent  groups  and 
terrorist  organizations  in  recent  years.  Popular  applications  like  Twitter,  YouTube, 
Facebook,  Turnblr,  and  lnstagram  have  created  a  digital  ecosystem  providing 
such  nonstate  actors  with  unprecedented  global  reach.  Militant  groups  in  Gaza, 
terrorist  cells  in  Mali,  oil  traffickers  in  Nigeria,  and  pirates  off  the  Somali  coast 
have  all  used  social  media  as  ad  hoc  communication  networks  and  as  platforms 
for  conducting  information  operations.  In  many  respects,  social  media  provides 
the  ideal  medium  for  adversaries  who  operate  as  highly  distributed  entities  but 
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lack  the  technical  capabilities  and  financial  resources  to  build  and  manage  formal 
command  and  control  networks.  The  recent  National  Intelligence  Council  re¬ 
port,  Global  Trends  2030,  noted  how  these  social  media  architectures  have  become 
“inherendy  resistant  to  centralized  oversight  and  control,”  enabling  individuals, 
small  groups,  and  ad  hoc  coalitions  of  nonstate  actors  to  shift  traditional  power 
sources  and  authorities.13 

The  Syrian  conflict  provides  perhaps  the  most  powerful  example  of  how  the 
cyberdomain  has  become  fully  interwoven  into  the  fabric  of  modern  conflict. 
This  war  has  been  called  “the  most  socially  mediated  civil  conflict  in  history,”  with 
fighters  routinely  using  Facebook,  YouTube,  Twitter,  Diaspora,  and  Snapchat  for 
a  variety  of  operational,  communication,  and  propaganda  functions.14  Analysis 
from  late  2014  identified  at  least  46,000  Twitter  accounts  used  by  members  and 
supporters  of  the  Islamic  State  while  the  Federal  Bureau  of  Investigation  (FBI) 
estimated  that  some  200,000  people  each  day  access  the  group’s  messaging  via  so¬ 
cial  media  to  include  “videos,  instruction  manuals,  and  other  material  posted  on 
militant  Islamist  social  media  sites.”15  While  ISIL  has  perhaps  become  the  most 
adept  user  of  such  tools,  the  phenomenon  is  by  no  means  limited  to  the  Islamic 
State.  In  Syria,  the  al-Qaeda  linked  al-Nusra  Front  has  also  used  social  media  for 
posting  press  releases  and  issuing  informal  communiques  including  text,  photo¬ 
graphs,  and  videos  detailing  recent  fighting,  even  posting  personalized  eulogies 
for  its  members  killed  in  combat.16  Al-Qaeda  is  often  credited  with  establishing 
the  early  model  for  Internet-based  jihadist  propaganda  with  the  publication  of 
its  online  magazine  Inspire,  designed  for  outreach  to  English-speaking  Muslims. 
More  recently  the  group  has  launched  a  new  branch  focused  on  cyberoffensive 
operations,  allegedly  executing  a  campaign  of  digital  defacements,  data  exfiltra- 
tions,  and  denial  of  service  attacks  against  Western  interests.17 

Cyberplatforms  have  also  been  used  extensively  for  dissemination  of  opera¬ 
tional  information,  recruiting,  and  training  purposes.18  For  example,  hundreds  of 
websites  and  online  forums  host  information  on  the  use  of  explosives,  fighting 
techniques,  and  links  to  encryption  programs  designed  to  help  followers  protect 
their  sensitive  communications.  The  director  of  Great  Britain’s  National  Secu¬ 
rity  Agency  counterpart,  Government  Communications  Fleadquarters,  recently 
described  Twitter,  Facebook,  and  WhatsApp  as  the  “command-and-control  net¬ 
works  of  choice  for  terrorist  and  criminals.”19 

One  important  characteristic  distinguishing  the  cyberdomain  from  a  conven¬ 
tional  physical  battiespace  is  the  variety  of  means  for  adversaries  to  anonymize 
their  activities.  This  issue  represents  a  significant  dilemma  for  military  command¬ 
ers  who  increasingly  are  unable  to  identify  actors  seeking  to  exert  influence  within 
a  given  area  of  operations,  whether  they  are  nation-states,  foreign  intelligence  ser¬ 
vices,  hackers,  criminals,  or  terrorists.  From  a  targeting  perspective,  the  primary 
challenge  is  linking  the  cyberpersona  to  an  actual  identity  behind  the  digital  repre- 
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sentation.  As  one  cryptographer  and  security  expert  recendy  noted,  “We’re  living 
in  a  world  where  we  can’t  easily  tell  the  difference  between  a  couple  of  guys  in 
a  basement  apartment  and  the  North  Korean  government.”20  This  phenomenon 
has  led  to  a  virtual  “arms  race  between  attackers  and  those  that  want  to  identify 
them.”21  One  recent  report  has  suggested  that  approximately  90  percent  of  ter¬ 
rorist  activities  taking  place  online  now  use  social  media  as  a  networking  tool  for 
their  operations,  a  situation  that  has  created  “a  virtual  firewall  to  help  safeguard 
the  identities  of  those  who  participate.”22 

These  adversaries  are  actively  exploiting  technologies  designed  to  conceal 
identity  and  veil  attribution  for  operations  conducted  in  the  cyberdomain.  Online 
jihadist  forums  routinely  advise  participants  on  how  to  avoid  detection  when 
web  browsing,  including  steps  for  removing  geo-location  and  metadata  from 
cell  phone  images  and  social  media  content.23  ISIL  in  particular  has  been  adept 
at  modifying  its  cyberbehavioral  profiles  by  changing  computers,  cell  phones, 
and  messaging  apps  after  one  becomes  compromised.24  Some  ISIL  members  are 
reportedly  moving  to  more  secure  private  messaging  apps,  such  as  Telegram, 
Kik,  and  WhatsApp,  as  a  means  of  protecting  internal  communications.25  These 
methods  include  the  use  of  encryption  and  data-destroying  software  designed  to 
frustrate  surveillance  methods.26  FBI  Director  James  B.  Comey  has  been  outspo¬ 
ken  over  his  concerns  that  adversaries  are  increasingly  “going  dark”  by  employing 
tools  that  make  it  difficult  for  legitimate  authorities  to  identify  and  track  emerg¬ 
ing  threats.  This  issue,  however,  has  been  controversial  and  opened  a  vigorous 
debate  among  security  experts  and  privacy  advocates  on  the  emerging  challenges 
of  encryption. 

Shortly  after  ISIL’s  November  2015  attacks  in  Paris,  the  group  announced 
that  it  would  move  some  of  its  propaganda  materials  to  the  so-called  Dark  Web 
as  a  means  of  thwarting  efforts  by  social  media  firms  to  identify  and  remove  ex¬ 
tremist  content  from  their  sites.27  ISIL  and  other  groups  have  already  made  use  of 
such  tools  as  the  Onion  Router  (Tor)  that  enable  users  to  communicate,  post,  and 
view  online  content  anonymously.28  While  not  offering  perfect  protection,  Tor 
and  similar  technologies  help  mask  IP  addresses  and  server  locations  while  en¬ 
crypting  data  packets  and  routing  messages  through  multiple  nodes,  which  make 
it  difficult  for  authorities  to  track  and  identify  users.  These  anonymity-granting 
systems  form  the  architecture  for  a  sizable  portion  of  Internet  traffic  that  is  virtu¬ 
ally  inaccessible  by  means  of  standard  web  browsers.  Tor  and  other  anonymizing 
software  evolved  as  classic  dual-use  technologies  with  many  legitimate  uses;  how¬ 
ever,  they  have  also  created  a  virtual  safe  haven  for  illicit  activities.29  More  recently 
there  has  been  suggestion  that  these  tools  have  become  shadow  command  and 
control  networks  for  terrorist  recruitment,  financing,  and  planning. 

In  addition  to  the  Dark  Web,  the  evolution  of  digital  cryptocurrencies,  such  as 
Bitcoin,  provide  another  means  for  conducting  pseudonymous  transactions  that 
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are  difficult  for  authorities  to  monitor  and  trace.30  For  example,  Bitcoin  is  consid¬ 
ered  pseudonymous  because  an  individual  user  is  represented  by  a  random,  cryp¬ 
tographically  generated  string  of  digits  that  do  not  directly  reveal  a  participant’s 
identity.  These  architectures  generally  enable  users  to  transfer  funds  with  lower 
risk  of  detection  and  greater  ability  to  conceal  their  physical  location.31  There  is 
also  evidence  that  some  terrorist  groups  are  using  digital  currencies  to  finance 
activities,  a  trend  that  is  likely  to  be  a  growing  concern  as  Western  governments 
close  off  terrorist  access  to  the  legitimate  international  financial  system.32  The 
head  of  the  U.S.  Treasury  Department’s  Financial  Crimes  Enforcement  Network 
recently  cited  the  growing  risk  from  global  point-to-point  transactions  and  digital 
pseudonymity  that  enables  these  groups  to  move  funds  instantly  across  borders, 
often  without  detection.33  Highlighting  these  concerns,  National  Security  Agency 
Director  Admiral  Michael  S.  Rogers  recently  revealed  the  increasing  amount  of 
time  his  agency  spends  monitoring  threats  on  the  Dark  Web  and  tracking  people 
who  cannot  easily  be  found  through  conventional  digital  surveillance  methods.34 

Protected  identities  and  complicated  attribution  have  also  made  the  cyber¬ 
domain  an  ideal  space  for  conducting  digital  “denial  and  deception”  operations. 
Denial  and  deception  describes  actions  taken  by  an  adversary  to  degrade  or  neu¬ 
tralize  an  opponent’s  intelligence  collection  or  efforts  that  deliberately  mislead 
observers  as  to  the  true  nature  of  an  activity.  Cyberspace  offers  many  tools  and 
methods  for  crafting  such  misperception.  The  Internet  is  rife  with  fake  Twitter 
accounts,  digital  avatars,  and  anonymizing  software  that  can  be  used  toward  such 
ends.  One  such  example  was  observed  in  early  2015  when  a  group  known  as  the 
Cyber  Caliphate,  originally  believed  to  be  affiliated  with  ISIL,  gained  notoriety 
by  briefly  taking  control  of  U.S.  Central  Command’s  Twitter  account  and  ex¬ 
posing  the  personal  information  of  some  senior  U.S.  military  members.  Several 
months  later,  however,  a  private  cyberintelligence  firm  called  into  question  the 
group’s  ISIL  affiliation  and  revealed  possible  links  to  a  Russian-backed  cyberes¬ 
pionage  group  that  had  been  associated  with  previous  attacks  against  “NATO, 
the  Ukrainian  government,  and  European  Union  networks.”35  These  connections 
became  evident  only  after  a  thorough  forensic  analysis  revealed  technical  indica¬ 
tions  of  a  digital  false  flag  operation  used  as  a  deliberate  attempt  to  conceal  the 
source  of  the  attacks.36 

Another  example  of  spoofed  digital  identities  used  for  military  purposes  was 
seen  recently  when  a  pro-Syrian  regime  group  known  as  the  Syrian  Electronic 
Army  (SEA)  created  fake  online  avatars  to  identify  and  target  opposition  mem¬ 
bers.’7  In  this  example,  fictitious  personae  were  used  as  part  of  a  phishing  cam¬ 
paign  to  gather  detailed  personal  information  including  names,  locations,  and  IP 
addresses  of  opposition  members,  media  activists,  humanitarian  aid  workers,  and 
other  individuals  deemed  dangerous  to  the  regime.38  From  this  information,  SEA 
was  able  to  access  users’  Skype  accounts,  mobile  apps,  and  social  media  sites  to 
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exploit  address  books,  SMS  messages,  and  email  contacts  from  their  targets.  This 
kind  of  aggressive  social  media  exploitation  produced  what  was  described  as  “ac¬ 
tionable  military  intelligence  for  an  immediate  batdefield  advantage”  that  enabled 
pro-Assad  forces  to  identify,  track,  and  target  key  opposition  members.39  SEA 
in  effect  operated  as  a  de  facto  national  cyberforce  conducting  cyberoperations 
on  behalf  of  the  regime;  however,  the  identities  of  the  individuals  behind  these 
operations  and  the  nature  of  their  relationship  to  the  government  remain  ambig¬ 
uous.40  According  to  experts  in  the  field,  such  methods  are  predicted  to  become 
“a  routine  part  of  even  the  most  low-tech,  if  brutal,  civil  wars  and  available  to 
those  operating  on  a  shoestring  budget.”41 

All  of  these  examples  demonstrate  the  degree  to  which  use  of  the  cyberdo¬ 
main  by  irregular  adversaries  has  altered  the  relative  balance  of  power  vis-a-vis 
conventional  military  forces.  The  first  digital  revolution — based  on  advances  in 
data  processing,  remote  sensing,  and  satellite  communications — was  instrumen¬ 
tal  for  enabling  well-resourced  state  militaries  to  operate  on  a  global  scale,  share 
real-time  information,  and  concentrate  combat  power  across  time  and  space.  Due 
to  the  complexity  and  expense  of  these  systems,  the  operational  benefits  of  this 
first  revolution  were  generally  limited  to  a  handful  of  large  military  forces;  how¬ 
ever,  the  democratization  of  digital  technologies  has  arguably  overturned  this 
dynamic. 

Social  networking,  mobile  communications,  and  global  access  to  the  Inter¬ 
net  have  enhanced  the  power  of  individuals  and  small  groups  relative  to  that  of 
nation-states  and  hierarchical  bureaucratic  entities.  The  second  digital  revolution 
has  lowered  the  barrier  of  access  to  advanced  technical  capabilities  previously 
limited  to  first  tier  militaries.  Now,  relatively  sophisticated  cybertools  are  available 
even  to  poorly  resourced  actors.  This  rapid  diffusion  of  digital  technology  has 
arguably  become  a  key  enabler  for  irregular  warfare  and  accelerated  the  disag¬ 
gregation  of  power  away  from  conventional  military  forces.42  The  cyberdomain 
provides  nonstate  groups  with  a  means  to  communicate,  coordinate,  and  project 
influence  on  a  global  scale  without  requiring  significant  investment  in  research 
and  development  infrastructure  or  even  a  formalized  program  of  procurement. 
These  developments  present  a  number  of  operational  challenges  for  U.S.  forces 
as  well  as  questions  on  how  to  properly  place  these  emerging  threats  within  an 
appropriate  doctrinal  framework. 

An  Evolving  Doctrinal  Framework 
for  Targeting  in  the  Cyberdomain 

The  aforementioned  examples  of  how  ISIL  and  other  nonstate  actors  are  using 
the  cybertools  to  create  effects  in  the  physical  battiespace  presents  a  number 
of  challenging  doctrinal  questions.  Technically  speaking,  most  of  these  activities 
do  not  constitute  cyberoperations  per  se,  even  as  adversaries  use  cybertools  to 
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produce  demonstrable  effects  on  the  ground.  The  purposes  of  these  activities — 
command  and  control,  intelligence  gathering,  training,  recruiting  and  propaganda 
— do  not  in  fact  represent  cyberoperations  in  a  doctrinal  sense.43  Nevertheless, 
they  do  exploit  some  of  the  unique  characteristics  of  the  cyberdomain  to  pro¬ 
tect  identity,  veil  attribution,  and  complicate  targeting.  The  U.S.  military  has  only 
recently  begun  considering  the  implications  of  how  emerging  cybertools  may  be 
applied  on  future  battlefields  as  well  as  how  to  categorize  such  activities  to  devel¬ 
op  appropriate  responses,  protocols,  and  targeting  methodologies. 

One  expert  in  the  field  recently  noted  how  the  lack  of  historical  example 
and  the  cross-domain  nature  of  cyber  makes  it  extremely  difficult  to  fit  these 
concepts  into  an  existing  doctrinal  framework.44  One  important  catalyst  for  these 
discussions  was  the  201 1  publication  of  the  Department  of  Defense  Strategy  for  Op¬ 
erating  in  Cyberspace.  This  document  marked  a  doctrinal  paradigm  shift  by  desig¬ 
nating  cyberspace  as  a  distinct  yet  interdependent  operational  domain  equivalent 
to  that  of  air,  land,  maritime,  and  space.45  This  designation  tacitly  acknowledged 
the  militarization  of  cyberspace  and  highlighted  the  fact  that  cyberoperations  are 
expected  to  play  a  critical  role  in  future  conflicts.46 

The  DOD  strategy  paper  also  acknowledged  the  unique  characteristics  of 
cyberoperations  that  complicate  the  direct  application  of  conventional  warfight¬ 
ing  concepts  to  this  domain.  Most  obviously,  threats  in  cyberspace  do  not  rec¬ 
ognize  national  boundaries  or  formally  declared  zones  of  conflict.  They  are  ill 
defined,  asymmetric,  and  often  difficult  to  attribute.47  They  do  not  always  have  a 
discernable  kinetic  parallel  in  terms  of  generating  unambiguous  physical  effects. 
Furthermore  the  nature  of  the  technical  tools  used  in  this  domain  can  make  it 
difficult  to  draw  clear  operational  distinctions  between  cyberwar,  cyberterrorism, 
cyberespionage,  and  cybercrime.  These  characteristics  impose  certain  limitations 
on  the  application  of  state-centric  security  concepts  such  as  deterrence,  esca¬ 
lation,  and  proportionality  in  the  development  of  military  cyberstrategy.48  Nev¬ 
ertheless,  when  it  comes  to  targeting  in  the  cyberdomain,  existing  doctrine  still 
generally  applies  a  conceptual  framework  that  more  or  less  mirrors  the  methods 
applied  to  conventional  maneuver  warfare.49  This  fact  seems  to  reflect  a  degree 
of  doctrinal  inertia  that  dangerously  underestimates  the  unique  operational  char¬ 
acteristics  of  this  domain. 

As  already  discussed,  one  of  the  most  important  characteristics  making  the 
cyberdomain  uniquely  challenging  from  a  targeting  perspective  is  the  issue  of 
attribution.  As  a  basic  technical  matter,  this  differs  significantly  from  conven¬ 
tional  military  operations  where  uniforms,  weapons  systems,  and  physical  ge¬ 
ography  generally  produce  detectable  signatures  that  can  reveal  an  adversary’s 
identity,  location,  and  activities.50  The  conventional  Intelligence,  Surveillance, 
and  Reconnaissance  capabilities  at  the  operational  level,  however,  presently 
offer  relatively  few  tools  to  help  commanders  visualize  the  cyberpersona  layer 
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of  their  immediate  operational  environment.51  At  these  echelons,  cyberintelli¬ 
gence  focused  primarily  on  issues  of  network  defense  and  information  assurance. 
This  situation  is  partly  due  to  a  lack  of  cyber-resources  and  technical  expertise 
below  the  strategic  level;  however,  there  is  also  a  conceptual  component  that  has 
slowed  progress  on  this  front. 

U.S.  military  organizations  generally  remain  focused  on  conventional  war¬ 
fighting  concepts  and  consequently  struggle  with  the  more  abstract  implications 
of  how  adversaries  might  apply  cybertools  to  create  effects  in  the  physical  bat- 
tlespace.  This  mindset  also  applies  generally  to  operational  planners  who  are 
more  comfortable  thinking  in  terms  of  the  traditional  elements  of  combat  pow¬ 
er:  mass,  maneuver,  and  firepower.  Yet,  these  factors  are  less  obviously  applicable 
as  conceptual  anchors  for  understanding  the  military  effects  of  cybertools  or 
selecting  the  best  means  of  targeting  adversaries  operating  within  this  domain. 

Recent  doctrinal  publications  have  made  some  progress  in  offering  a  frame¬ 
work  for  understanding  how  the  cyberdimension  shapes  the  overall  operational 
environment.  Cyberspace  Operations  describes  this  space  in  terms  of  three  distinct 
layers:  a  physical  network  forming  the  medium  where  data  travels,  a  logical  net¬ 
work  representing  the  signal  topology  and  arrangement  of  devices  on  the  net¬ 
work,  and  finally  the  cyberpersona  layer  representing  the  digital  representation  of 
individuals  or  entities  operating  in  cyberspace  (figure  1). 52 The  cyberpersona  layer 
is  the  abstract  representation  of  the  actors  behind  the  network  and  represents 
the  most  challenging  aspect  from  a  targeting  perspective.  For  example,  complex 


Figure  1.  The  three  layers  of  cyberspace 
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Adapted  from  U.S.  Army,  Cyberspace  Operations  Concept  Capability  Plan  2016-2028  by  MCUP. 
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digital  identities  could  manifest  concurrently  at  multiple  locations  while  some 
may  not  even  be  traceable  to  a  single  discrete  physical  node.  A  single  entity  may 
have  multiple  cyberpersonae,  such  as  the  case  with  Russian  Internet  trolls  who 
conduct  information  campaigns  by  using  dozens,  sometimes  hundreds  of  digital 
identities.53  Alternatively,  a  single  cyberpersona  could  represent  numerous  differ¬ 
ent  user  identities,  such  as  the  case  with  the  online  activist  group  Anonymous.54 
For  this  reason,  the  actions  of  a  cyberpersona  may  not  be  easily  be  attributed  to 
a  state,  an  army,  or  an  individual  actor. 

These  abstractions  make  it  difficult  to  conceptualize  how  military  forces 
might  effectively  integrate  cybereffects  into  a  conventional  targeting  plan.  With¬ 
out  a  clearly  defined  adversary  identifiable  as  a  dot  on  a  map,  much  of  the  basis 
for  conventional  targeting  doctrine  becomes  untenable.  Furthermore,  in  the  cy¬ 
berdomain,  launching  attacks  against  an  adversary’s  computers,  cell  phones,  and 
social  media  accounts  may  actually  have  the  adverse  effect  of  eliminating  the 
only  source  of  insight  on  the  identities  and  operations  of  the  network.  In  light 
of  these  challenges,  the  latest  DOD  cyberstrategy  moves  in  the  right  direction 
by  emphasizing  the  need  for  improved  “intelligence  and  attribution  capabilities 
help  to  unmask  an  actor’s  cyberpersona,  identify  the  attack’s  point  of  origin,  and 
determine  tactics,  techniques,  and  procedures”  to  support  credible  deterrence, 
response,  and  denial  operations.55 

One  recent  paper  on  cyberintelligence  noted  how  dealing  with  these  threats 
must  go  beyond  the  issue  of  network  defense.56  As  doctrinally  defined,  cyberoper¬ 
ations  do  not  encompass  the  growing  scope  of  influencing  activities  that  are  now 
taking  place  in  the  digital  domain.  Therefore,  cyberintelligence  must  evolve  as  an 
all-source  discipline  and  not  be  limited  only  to  the  technical  aspects  of  network 
protection.  This  means  that  cyberanalysts  must  also  have  an  understanding  of  the 
human  dimension  of  cyberoperations.  This  includes  techniques  for  identifying 
the  actors  behind  the  keyboards;  knowing  how  adversaries  plan,  coordinate,  and 
execute  their  operations;  and  understanding  what  motivates  them  toward  action.57 
In  many  respects,  this  makes  targeting  in  the  cyberdomain  a  logical  extension  of 
the  identity-based  approaches  refined  during  recent  conflicts. 

New  Technologies  and  Methods 

for  Building  Cyber  Situational  Awareness 

As  the  cyberdomain  increasingly  represents  “key  terrain”  of  irregular  warfare, 
the  task  of  developing  situational  awareness  will  become  a  critical  need  for  con¬ 
ventional  military  forces.  This  will  involve  integrating  new  technical  tools  and 
analytical  methods  designed  specifically  for  identifying,  tracking,  and  targeting 
anonymous  actors  using  cybertools  as  a  medium  for  creating  effects  in  the  physi¬ 
cal  landscape.  The  urgent  need  for  “strong  intelligence,  forensics,  and  indications 
and  warning  capabilities  to  reduce  anonymity  in  cyberspace  and  increase  confi- 
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dence  in  attribution”  was  recognized  in  the  DOD’s  most  recent  cyberstrategy 
document.58  At  the  present  time,  however,  military  commanders,  particularly  at 
the  operational  level,  still  lack  the  technical  means  and  analytical  methods  for 
identifying  these  actors,  mapping  their  activities,  and  understanding  how  they  ex¬ 
ert  influence  on  the  battlefield.  The  high-profile  case  of  Jihadi  John  demonstrat¬ 
ed  the  power  of  being  able  to  identify  an  unknown  actor  on  social  media  and  then 
link  digital  patterns  of  life  information  to  an  actual  person,  a  physical  location, 
specific  activities,  or  associations;  however,  the  hunt  required  national  level  assets 
far  removed  from  operational  commanders.59 

Traditional  computer  network  analysis  can  provide  methods  for  obtaining 
some  contextual  information  through  technical  means.  For  instance,  an  anon¬ 
ymous  cyberpersona  must  still  interface  through  a  physical  plane  that  contains 
information  about  device  hardware  and  operating  characteristics.  Additionally, 
analysis  of  the  logical  plane  may  reveal  such  information  as  network  addresses 
and  configuration  settings,  and  in  some  cases,  even  the  geographic  location  of  a 
user.  While  these  attributes  can  help  to  characterize  how  a  cyberpersona  operates, 
they  do  not  necessarily  expose  the  identity  of  the  individual  behind  the  screen. 
To  derive  this  type  of  information,  a  cyberpersona  would  need  to  be  linked  to 
an  identifiable  user  account,  digital  certificates,  or  stored  biometric  data,  but  even 
this  information  may  not  provide  a  definitive  picture  of  whose  fingers  are  on 
the  keyboard.  This  offers  the  cyberequivalent  of  signature-based  targeting  where 
analysts  infer  a  target’s  identity  based  on  the  characteristics  of  observed  activity. 
This  method  does  not  necessarily  reveal  exactly  who  is  using  a  SIM  card,  howev¬ 
er,  only  whether  or  not  the  users’  activities  fit  a  known  behavioral  pattern. 

This  example  also  highlights  the  point  that  insurgents,  terrorists,  and  irregu¬ 
lar  combatants  do  not  emanate  the  same  technical  signatures  as  conventional  mil¬ 
itary  forces,  therefore  characterizing  and  targeting  these  entities  requires  different 
collection  methods  and  analytical  approaches.  This  is  true  regardless  of  wheth¬ 
er  the  adversary  occupies  a  physical  presence  on  the  battlefield,  hides  among 
an  indigenous  population,  or  operates  as  a  cyberpersona  maneuvering  through 
the  digital  landscape.  Also,  unlike  professional  armies  that  function  on  doctrinal 
precepts,  irregular  forces  generally  have  less  discernable  templates  guiding  their 
actions,  making  predictive  analysis  a  much  more  daunting  challenge.  For  these 
reasons,  identity-based  targeting  in  the  cyberdomain  requires  tools  and  methods 
that  are  better  able  to  exploit  remotely  accessible  attributes  and  indicators. 

As  one  example,  behavioral  biometrics  offers  some  potential  techniques  for 
establishing  identity  by  indirect  means  that  may  be  well  suited  to  the  challenges 
of  cyberoperations.  In  general  terms,  behavioral  biometrics  refers  to  identifying 
characteristics  that  are  learned  or  acquired  over  time  rather  than  those  based  pri¬ 
marily  on  biology — for  instance,  using  such  features  as  “style,  preference,  knowl¬ 
edge,  motor-skills  or  strategy”  that  people  use  in  “human  actions  which  result 
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from  specific  to  everyday  human  skills.”60  Some  common  examples  of  measur¬ 
able  traits  include  handwriting,  keystroke  movements,  or  mouse  dynamics.  Oth¬ 
er  examples  include  distinguishing  behavioral  patterns  that  can  be  derived  from 
common  online  activities,  including  email  routines,  digital  device  interactions,  or 
credit  card  usage. 

Where  traditional  biometrics  can  be  limited  in  use,  behavioral  biometrics  of¬ 
ten  provides  missing  benefits;  most  notable  is  behavioral  biometrics’  potential 
for  “stand  off”  or  noncompliant  collection.  For  instance,  patterns  of  email  usage 
or  web  surfing  offer  the  possibility  of  deriving  unique  user  identifications  with 
the  advantage  of  nonobtrusive  collection.  Multiple  studies  have  demonstrated 
how  unique  behavioral  profiles  can  be  derived  from  the  peculiarities  of  message 
stylization,  temporal  activity,  sentence  structure,  and  other  variables.61  This  has 
obvious  applications  for  resolving  ambiguous  identities  derived  from  user  ac¬ 
counts  or  devices  shared  among  multiple  individuals.  Similar  applications  have 
been  developed  to  spot  aberrant  behavior  on  social  media  platforms,  such  as 
detecting  fake  Twitter  and  Facebook  accounts.  Behavioral  biometrics  can  also  be 
applied  to  help  identify  online  deception  campaigns  by  analyzing  linguistic  cues, 
usage  patterns,  social  connections,  and  physical  locations  to  help  characterize  the 
identities  behind  the  posts. 

Behavioral  biometrics  is  also  being  used  to  modernize  the  analysis  of  “digital 
handwriting”  or  dynamic  signatures  derived  from  the  unique  way  a  user  types  or 
manipulate  a  digital  device.  These  cognitive -biometric  attributes  are  being  used 
for  identity  authentication  on  mobile  devices  by  analyzing  such  factors  as  hand¬ 
edness,  hand  tremor,  eye-hand  coordination,  keystroke  analysis,  and  other  iden¬ 
tifiable  patterns  derived  from  human— machine  interactions.62  Researchers  have 
found  these  behavioral  patterns  to  be  “complex,  nuanced  and  instinctive,”  there¬ 
by  offering  a  highly  accurate  method  for  identifying  individuals  based  on  their  use 
of  digital  devices.63 

Another  recent  experiment  has  identified  unique  “egocentric  video  biomet¬ 
rics”  derived  from  raw  video  footage  taken  from  head-  and  body-mounted  cam¬ 
eras.64  One  potential  application  of  this  technique  would  be  the  ability  to  locate  all 
videos  shot  by  a  single  user  from  within  a  large  database  of  digital  files  even  with¬ 
out  the  benefit  of  descriptive  metadata.  Similar  techniques  have  been  developed 
for  generating  biometric  authentication  from  computer  mouse  manipulation  and 
fitness  tracking  devices.  Such  information  could  be  invaluable  for  identity  verifi¬ 
cation  when  combined  with  precise  geo-location  derived  from  a  mobile  device  or 
when  correlated  with  other  social  media  activity.  As  humans  increasingly  maintain 
nearly  continual  interaction  with  their  digital  devices,  the  field  of  behavioral  bio¬ 
metrics  potentially  offers  a  range  of  techniques  well  suited  for  deriving  identity 
information  from  online  activities. 

The  ability  to  apply  digital  forensics  or  behavioral  biometrics  to  positively 
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identify  cyberpersonae  will  also  increase  the  value  of  social  media  exploitation. 
While  this  remains  a  complex  technical  challenge  due  to  vast  amounts  of  low- 
value  raw  data,  it  does  offer  some  means  for  mapping  out  an  increasingly  complex 
digital  landscape  and  identifying  key  nodes  of  activity  that  could  influence  the 
physical  battlespace.  For  example,  in  early  2014,  analysts  were  able  to  track  Rus¬ 
sian  military  movement  into  Crimea  using  social  media  “bread  crumbs”  dropped 
by  personnel  preparing  for  mobilization.  Separately,  YouTube  videos  and  Twitter 
messages  posted  by  Russian  irregulars  provided  the  first  hints  of  attribution  for 
the  downing  of  Malaysia  Airlines  Flight  17  in  eastern  Ukraine  in  July  20 14. 65 

The  ability  to  derive  useful  identity  information  of  threat  actors  from  a  vast 
sea  of  digital  activity  will  depend  on  major  advances  in  computing  power  and 
new  analytical  methods.  Artificial  Intelligence,  machine  learning,  and  methods  for 
dealing  with  the  challenge  of  interpreting  “big  data”  are  areas  where  technology 
is  expected  to  improve  the  ability  of  analysts  to  sort  through  large  amounts  of 
unstructured  information  to  discern  patterns,  trends,  and  embedded  associations 
among  actors.66  These  tools  could  be  particularly  useful  for  discovering  unseen 
correlations  between  the  online  activities  of  cyberpersonae  and  identity  signa¬ 
tures  in  the  physical  domain.  These  tools  have  already  demonstrated  significant 
potential  for  improving  the  accuracy  and  power  of  standard  biometric  modalities, 
such  as  increasing  the  speed  and  accuracy  of  the  image  recognition  applications 
used  by  Facebook,  Google,  Microsoft,  and  Twitter.67 

In  addition  to  new  collection  modalities,  U.S.  forces  will  need  innovative  ap¬ 
proaches  to  informational  management  that  are  better  suited  for  processing  the 
vast  amounts  of  data  generated  by  a  world  of  networked  adversaries.  A  recent 
white  paper  by  the  under  secretary  of  defense  for  intelligence  highlighted  the 
nature  of  this  new  environment  by  noting  how  individuals  are  increasingly  be¬ 
coming  “self-documenting”  by  creating  digital  trails  of  potentially  useful  data 
during  the  conduct  of  their  daily  lives.68  Ubiquitous  interconnectivity  via  email, 
social  media,  digital  commerce,  and  interface  with  the  “internet  of  things”  all 
combine  to  create  a  dense  layer  of  interactions  that  expose  much  of  who  we  are, 
where  we  go,  and  how  we  live  our  lives.  This  phenomenon  presents  a  significant 
analytical  challenge  to  derive  meaning  and  actionable  intelligence  from  the  deluge 
of  big  data.69 

Relatively  new  concepts — for  example,  Activity-Based  Intelligence  (ABI) 
and  Object-Based  Production  (OBP) — provide  some  examples  of  analytical  ap¬ 
proaches  that  may  be  well  suited  for  identity-based  targeting  in  such  data-rich 
environments.  For  example,  ABI  exploits  the  potential  of  big  data  by  replacing 
collection  discipline-centric  analysis  with  an  activity-based  approach  that  focuses 
on  all  of  the  physical  and  virtual  transactions  associated  with  a  specific  entity.70 
ABI  was  originally  conceived  as  an  analytical  approach  optimized  for  identity- 
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based  targeting  on  an  irregular  battlefield  by  focusing  on  the  interactions  and 
associations  that  define  adversary  networks.71  This  methodology  was  used  to  gen¬ 
erate  the  kind  of  pattern  of  life  analysis  needed  to  dismantle  insurgent  groups  in 
Iraq  and  Afghanistan. 

Similarly,  OBP  is  designed  to  deal  with  the  challenge  of  information  discovery 
and  attribute  correlation  in  an  environment  defined  by  disaggregated  and  het¬ 
erogeneous  data.  As  a  method,  OBP  focuses  on  organizing  information  around 
a  single  object  such  as  “people,  places,  and  things  [that  become]  the  single  point 
of  convergence  for  all  information  and  intelligence  produced  about  a  topic  of 
interest.”72  This  way  of  organizing  data  enables  an  analyst  to  visualize  an  enti¬ 
ty’s  attributes,  associations,  and  activities.  For  example,  the  information  relating 
to  an  individual  or  group  can  be  correlated  with  all  information  linked  to  that 
object,  such  as  related  attributes,  common  activities,  or  associations  with  other 
similar  entities.73  This  could  also  include  linkages  to  physical  attributes  from 
biometric,  biographic,  or  forensic  data.  These  novel  approaches  to  information 
management  may  be  better  able  to  support  the  kind  of  data-intensive  analyses 
that  are  needed  to  uncover  deeply  embedded  associations  from  within  large 
amounts  of  unstructured  identity  data  scattered  across  the  digital  landscape. 

As  the  military  searches  for  new  technologies  to  improve  cyber  situational 
awareness,  it  is  likely  that  the  commercial  sector  will  provide  some  of  the  most 
powerful  and  innovative  tools.  As  one  example,  the  world  of  online  advertising 
provides  a  useful  model  for  how  such  cybercapabilities  might  evolve.  In  recent 
years,  these  firms  have  refined  methods  for  resolving  the  identities  of  cyber¬ 
personae  using  algorithms  designed  for  probabilistic  matching.  Based  on  IP  ad¬ 
dresses,  browser  activity,  authorship  analysis,  behavioral  cues,  and  other  digital 
signatures,  these  companies  have  been  able  to  correlate  identifiers  so  that  entities 
can  be  tracked  as  they  move  across  the  cyberlandscape.74 

Similarly,  online  retailers  routinely  gather  detailed  information  about  “spend¬ 
ing  habits,  credit  histories,  web-surfing  histories,  social  network  postings,  de¬ 
mographic  information,  and  so  on”  for  the  purpose  of  market  research  and 
generating  “precisely  targeted  advertising.”75  These  activities  can  be  linked  and 
used  to  accurately  track  a  single  user  across  multiple  devices  and  platforms  by  cre¬ 
ating  a  “digital  fingerprint”  that  correlates  the  cyberpersona  to  an  actual  physical 
identity.  Social  media  companies  are  also  becoming  skilled  at  using  geo-tracking, 
metadata,  speech,  and  content  analysis  as  methods  for  spotting  unauthorized  us¬ 
ers  or  detecting  fraudulent  activities.  In  many  ways,  these  examples  offer  precisely 
the  kinds  of  tools  needed  by  military  cyberanalysts  to  help  identify  and  analyze 
key  influencers  within  an  operational  environment  and  potentially  provide  the 
kind  of  fidelity  to  target  cyberpersonae  across  the  digital  landscape  that  the  mili¬ 
tary  has  used  to  observe  actors  in  the  physical  battlespace. 
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Conclusion 

In  recent  years,  there  have  been  several  vivid  examples  of  adversaries  using  cy¬ 
bertools  to  create  substantive  military  effects  in  the  physical  domain.  These  have 
included  many  activities  falling  outside  of  the  strict  doctrinal  definition  for  cy¬ 
beroperations.  In  particular,  these  tools  have  played  an  increasingly  visible  and 
consequential  role  in  a  wide  range  of  irregular  conflicts  as  part  of  terrorism  activ¬ 
ities  and  in  gray  zone  or  hybrid  conflicts.  One  commonality  among  these  exam¬ 
ples  is  that  both  state  and  nonstate  actors  have  leveraged  the  anonymity  offered 
by  cybertools  as  a  means  of  creating  strategic  ambiguity  and  confusion  over  attri¬ 
bution  of  their  activities.  While  deception  and  surprise  have  always  been  elements 
of  warfare,  these  recent  examples  of  state  and  nonstate  actors  using  sophisticated 
technologies  to  mask  identity  present  a  significant  challenge  to  conventional  mil¬ 
itary  targeting  methods. 

Dealing  with  this  new  kind  of  threat  will  require  a  paradigm  shift  in  thinking 
about  the  meaning  of  situational  awareness  and  targeting  in  the  cyberdomain. 
A  first  important  step  will  be  better  educating  mid-level  military  leaders  about 
the  technical  aspects  of  cyberoperations.  This  includes  offering  a  clear  doctrinal 
framework  that  integrates  cyberconsiderations  into  the  overall  planning  cycle  and 
targeting  process  at  the  tactical  and  operational  levels.  This  will  require  improved 
tools  and  analytical  methods  so  that  military  commanders  below  that  strategic 
level  can  have  a  common  operational  picture  that  takes  into  account  all  entities 
influencing  the  battlespace,  including  actors  in  the  cyberpersona  layer. 

For  the  larger  DOD  enterprise,  these  solutions  must  also  consider  the  loom¬ 
ing  challenge  of  encryption  and  other  technical  tools  enabling  adversaries  to  op¬ 
erate  anonymously  and  avoid  attribution.  This  problem  will  only  become  more 
acute  as  both  state  and  nonstate  adversaries  continue  to  erode  the  slim  relative 
advantages  that  the  United  States  still  enjoys  with  regard  to  cyberoperations — an 
edge  that  many  experts  suggest  has  already  disappeared. 

One  starting  point  for  designing  a  conceptual  approach  for  cybertargeting 
may  be  to  view  it  as  a  logical  extension  of  the  identity-based  targeting  techniques 
developed  during  recent  campaigns.  These  examples  share  similarities  in  terms  of 
the  challenges  faced  by  military  forces  when  targeting  irregular  adversaries  as  well 
as  the  issues  of  identity  and  attribution  in  modern  warfare.  Expanding  existing 
concepts  such  as  12  to  the  cyberdomain  would  provide  a  doctrinal  framework  for 
linking  digital  identities  to  corresponding  biologic  and  biographic  information  in 
the  physical  domain.  As  a  model  for  military  innovation,  the  recent  examples  of 
biometrics  and  expeditionary  forensics  offer  useful  lessons  learned  for  integrat¬ 
ing  nonmilitary  technologies  onto  the  battlefield  and  devising  effective  doctrinal 
frameworks  for  their  use.  These  capabilities  reflect  an  important  operational  need 
as  adversaries  increasingly  use  cybertools  in  order  to  create  meaningful  effects  on 
the  physical  battlefield. 
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